Navigant Research Blog

Data Analytics Bring Integrity Challenges

Bob Lockhart — June 6, 2014

The only thing worse than making no decision is making the wrong decision. As utilities embark into analytics-driven decisions, they must keep this in mind. When the analytics are down and there is no data at all, utilities can go into human intervention mode, which they did for the first 100 years of their existence. But when the data is available but wrong, that’s when havoc may be wreaked. The increase of automation enables fast and fine-grained control that utilities have never before enjoyed. Yet, that automation assumes accurate data. Inaccurate data leads to inaccurate decisions.

In other words, data, like people, needs integrity.

Integrity simply means that the data has not been modified without detection. Less frequently discussed than confidentiality and availability, data integrity suffers from a sort of middle-child syndrome. Whether we talk about enterprise IT security or control system security, integrity sits sandwiched between confidentiality and availability. Yet, integrity is nearly as critical as availability.

Available and Integral

To their credit, the data analytics experts that I speak with often mention security. It’s usually the last topic they cover, but they do cover it. That’s okay. We security practitioners are always last on the agenda and we expect to be last on the agenda. Unless there are auditors in the room – then they go last.

The most important security aspect of data analytics for utilities is availability. If your data is not available when you need it, then it is useless. Timing is critical. Grid reliability may need to act on data generated within, oh say, the last 4 milliseconds. On the other hand, time-of-use rate design has less strident requirements. No matter what, the right data must be available when it’s needed. Nearly everybody gets that.

But data integrity is nearly as important as availability. One key to ensuring data integrity is data encryption. Often associated with confidentiality, encryption also ensures data integrity via the use of message digests, calculations that indicate whether or not a data record has been modified. Modern grid sensors usually have built-in encryption capability, using standards-based approaches. However, many legacy devices (read, old) do not have the computing power to implement encryption. Some have essentially no computing power at all.

The Devil in Legacy Devices

Yet, legacy devices remain critical to the stable operation of distribution networks. There is no absolute protection for these devices yet. Control system vendors sell bump-in-the-wire devices – which can be placed right next to a legacy device to encrypt its data. But the device itself is still unprotected. National labs and commercial vendors have launched ambitious research programs to identify new ways to ensure data integrity from legacy devices.

And therein lies the problem: data from legacy devices is every bit as important as data from modern devices. Under the norms of cyber security paranoia, we must assume that legacy device data is compromised. Until – if ever – we can rest assured that legacy devices are adequately protected (or replaced en masse), we need something to ensure that legacy sensor data is reasonable and unmodified. Massive volumes of data suggest that only automated inspection can accomplish this – human intervention need not apply.

All of which means: do not overlook the data integrity solution when you assess the data analytics solution!